168 comments

[ 2.9 ms ] story [ 49.5 ms ] thread
Between 2018 and 2020, I wrote a website that cloned the databases of a couple online learning platforms, and used it to skip lots of homework I should have done.

I wrote this at the beginning of the year, but never released it as I was never sure if I was missing details. I realised today there is no point in keeping it hidden, so brushed it up a bit and published it.

Btw, the repo that houses the blog is open source, so feel free to fork or whatever and use it as your own

I love the veiled threat to "take a legal approach" in the last email. If I ever take over the world, there will be a law where if you imply that you're investigating litigation, you have to file your case within 24 hours or the ability expires.
Hahaha true, and that's really not even a terrible idea to give 24 hours.

We definitely ended things on a good note with Hegarty & Educake. They were really friendly to us and also super helpful to be honest, good team over there.

That's good to hear. Maybe it wasn't a veiled threat, but rather an attempt to be nice. ("A lot of companies would sue you right now, but we would never do that," could be an alternate reading.)
100% veiled threat. Even the "a lot of companies.." interpretation is just a reminder of their power should you not want to hop on that call.
He explicitly avoided saying he wouldn't do it. He said he prefered not to, because he was making a threat to harm the person who exposed his incompetence and caused no harm.
That would be a really, really annoying world, because people wouldn't threaten litigation, they would actually just start suing immediately. If you have only two choices: to not do anything and put yourself at risk, or start the expensive and time-consuming litigation process, the latter will be the "smart" move more often than not. Products and services would become more expensive, there would be fewer free things, there would be more weasel words and fucked up clauses in ToS, etc. Let's not go down that path.
I think this was an "educational experience" in the truest sense. Hegarty showed the spirit of a true educator. This is a situation that can end up with legal action -- but there is a much better path for both sides! Young people may not know the ramifications of their actions, and it is much better to show the range of outcomes and work together for a mutually beneficial solution.
Everyone has to start somewhere. These young lads “worked around” couple of educational platforms. 35 years ago I was hex dumping ZX Spectrum game saves and disassembling the program files to get more lives, infinite lives or just more ammo or whatever. That seemed easier and more interesting than getting good at games themselves.

I sometimes wonder if that kind of “not approved” intellectual curiosity can be used to augment education. Sort of like having old school alarm clocks that are designed to be disassembled.

Heh, I still use game trainers for games that have annoying grinds. The Assassin's Creed games come to mind. There is no way I'm spending 150 hours on grinding just to progress through a level gated region of the map.
Some people just want casual gaming and having part of the map locked off forever is depressing - in my case, Forza Horizon 5, never bothered to do the grind, just drive around aimlessly, but I want all the cars and interesting places to be open. Maybe a "casual mode" setting?
That's a good point, you're definitely on to something I think. Reversing classes at a young age would be super engaging for kids as it's "not something you're supposed to do"

My mother is a teacher for ages 7-11 and I help out with her IT curricula sometimes. I think I might do some reversing with her next time I am with them!

I fondly remember playing Bard's Tale on one computer while using the other one to edit the character files and reverse engineering all the item codes and other statistics. Good times.
I did the same thing with Bolo on an Apple ][e - I never got very good at the game but I dumped the assembler code for the whole thing onto greenbar paper and marked it up with highlighters. Then gave myself infinite lives, made the maze walls penetrable, made myself invisible to the robots - all kinds of stuff.

The penetrable walls were the best, because if you drove your tank off the map, the graphics renderer would just look at whatever memory happened to be specified by your impossible coordinates, display eerie shifting structures that were the working memory of your code, and pretty quickly crash the whole machine writing the tank sprite into god knows what.

That was a fun summer. I wonder if my mom still has that greenbar printout in her basement.

When I was way way younger, I mucked about in our school's computer library and the network security (or rather, how the permissions were set up) until I figured out a way to run and share Halo and Soldier of Fortune 2 off of a networked USB stick (or maybe I just copied it to my computer and then shared it off of the HDD, the memory is pretty vague). This is back in the XP days.

It worked pretty well and we had many a play session with 10-16 kids, alt-tabs were pressed, until somehow they discovered we were playing games, and then a bit later they found some residual files that had my account as the initial creator set on them.

I got a 30 minute dressing down talk from the IT head, then again from my mentor, and then again from the 'dean' (our school system is a little different). Then I had detention after school for months.

No one ever asked me how I actually bypassed their network permissions. When I found another exploit weeks later, I never used it, but I also never told them.

I still do this on my iPhone. As long as you keep the bit count the same i.e. changing 12 points to 99 the code signing passes and you don’t need to do anything but edit the hex.
It sounds like you're saying iPhones have an easily exploitable code signing vulnerability. It's that correct?
(comment deleted)
That sounds more like a data format with length-prefixed fields.
When I was 6 years old my older brother showed me how to use Copy ][ Plus/Edit (what was it called? This was 35 years ago) to edit my characters’ stats in the Bard’s Tale and other games. I’d learn to search for specific strings like a Character name and then twiddle bits to change level or whatever.

It made no sense to me until HS where I started to understand how I was editing a Data file, and more in college when I learned assembler.

Hex-editing save game files to cheat at Civilisation 1 was what got me into open source, where I started working on improving the hex editor I was using, frhed, which was GPL.
I've been doing something similar but in the pursuit of graphics assets. Typical ZX Spectrum game was usually one blob of bytes containing everything it needed to run. I'd load the main game block into memory and run small assembly routine displaying a fragment of code on screen in a form of a window with dynamically configurable width and height. You could "slide" the window throughout whole memory block, which was quite fast, and eventually you'd find out something resembling backgrounds, sprites, fonts. Often they were of different dimensions, hence the dynamic window size. After few tweaks you'd find the offset and the size of assets and you could replace them easily. I'll never forget the Rocky Horror Show play-through with all the characters replaced with their other, rather obscene, versions. Well, not so mature when you think about it, but quite funny it was back then. If anything I've learned quite a few tricks about fitting a lot of assets into very limited memory.
Honestly kind of impressed that the HegartyMaths guy independently found this and then handled it without (explicitly) threatening to sue you.
They were champs! We even connected on LinkedIn with Colin afterwards and he actually offered us summer work but that fell through unfortunately.
He didn't pay you for the consulting time you have him?
Money is vain. They got much more out of it and the post very clearly states that.
The jump-straight-to-suing approach is to be honest a bit specific to the US. In the UK (like here) it’s more usual to deal with these sorts of things with a kind word, combined with hints of potential problems later.
I think you passed the take home interview and phone screen for this company.
I hope they did their homework even after breaking the platform.
tbh i had online math homework years ago now like back in 5th grade. my solution was a whole lot jankier but i spent more time writing a script to store and use answers (unlimited quiz retakes go brrrr) than it would have taken me to just do the quizzes and was still happy. i ended up with this unholy thing that used a flat text file like a very ghetto database bc i didn't know shit about coding... eventually got to this thing that stored question text alphabetized line-by-line and binary-searched through so that was at least less terrible.

anyway i spent probably 10x as long on this and was happier because grinding repetitive math problems is fucking boring. so if he didn't do his math homework honestly who cares.

> flat text file like a very ghetto database

My second site was a blog in about 1998. I had never heard of a blog, but whatever. I built a user system, "karma" system, ability to spend karma (anyone with enough karma could post on my front page), an interactive choose-your-own-adventure story where you got to help write it, and some other features I'm forgetting.

Anyway, I built all that with flat files at first, because I hadn't heard the word "database" yet--even though I wrote this in PHP. As soon as I heard about databases, I converted it in a couple days.

Wow that's amazing! The best part is that you managed to get their entire database, that must have taken a lot of work. How did that burner account thing work?

My favorite experience with "hacking" in school involves wifi. My school had free wifi, but you had to log in with your student password. Well, the login step involved a GET request in which the password was sent in plain text as a URL parameter... so if you had your friend's laptop, it was a simple matter of looking at his browser history to see his password!

Never did anything with it, but always wondered what someone seriously motivated could have done with it

Burner account was really just a friend of ours, it wasn't something you could just sign up for and join a class. The teacher had to create your user account for you and give you a login, and assign you to a class.

He ended up getting his account reset a lot of times, but it was funny having him answer the entire dataset of questions in literally about 1m30s...

School security always seems to be a funny weak point, it seems common that a school's budget never seems to reach the IT department... and yet everybody is shocked when a vuln is discovered like that :p

Awesome story, and good response by Hegarty. It reminds me of something similar (but with an opposite response), where an intern who worked at Replit built a basic repl site (not even a clone) but was threatened by the CEO that he'd be sued.

https://news.ycombinator.com/item?id=27424195

The threat of suing very much loomed in the background if they did not cooperate. Hegarty is just more slick, buttering them up with (well deserved) praises and attention from grownups to get voluntary cooperation.
I didn't really get that vibe, especially when we called Colin. He was super friendly. But then again, we didn't want to test it and we complied immediately =)
Diplomacy often comes across as friendliness. I've been in situations where I've not acquiesced and seen how quickly things can change. As they say, don't take friendliness for weakness. Wonderfully managed by all parties though.
Yeah, chances are Hegarty was actually impressed and alarmed, and the best way to reconcile both of those was to befriend this kid, share the info so that HegartyMath doesn't get damaged from the leak, and send some praise their way for identifying a glaring security and utility issue in the app.
I always remember that story and is the reason I’ve boycotted replit. This dude let the smallest amount of success go to his head and immediately started acting like a tyrant.
Wow what a dick. Yeah they backed off after the backlash but that shouldn’t have happened in the first place.

I’ll use Codespaces next time

University was my playground for this sort of this sort of thing (because my high school was all paper). One subject used an Online Platform called Wiley which stored the answer in the page, a weekend writing up the script to solve it, fake a realistic completed percentage and take a realistic amount of time to solve. I used a greasemonkey script, just like this post as well!

Countless subjects also distributed questions and answers from Textbooks in a PDF format. One OCR run later and a script to clean text I had a database of questions and answers I could share with my friends to practice for the exam (which helpfully used the exact same questions). https://www.rytek.me/archive/projects/epmquiz-webapp/

I never did flex my cheating like you did haha for fear of the repercussions.

This is a really heartwarming tale of having good intentions and assuming it of others. There was a similar situation in my high school days where someone's college path to computer science was taken away for something even less malevolent than described in this post, he ended up becoming a pretty wild startup founder and a defrauder of millions.
These online learning platforms should also consider drawing on canvas e.g. flutter to make it harder to scrape screen contents

I think they could also just check the isTrusted field in the Event since that can't be overwritten without a custom compiled browser

It's always a game of cat and mouse... if a human can use a website then it's theoretically possible that a robot can too. I used to do a lot of sneaker botting a few years prior, so I kind of lot about web automation then. Developers will always find a way, even if it means spending more time writing the software than it would have just doing the homework
That's a total no-go unfortunately since WCAG-AA accessibility is a non-optional requirement in edtech.

The solution in general is in improving the quality of the content, using a more sophisticated format of questions that requires work rather than mere knowledge (which is also far better for formative assessment, but most platforms are focused on summative, particularly in the US)... independent multi-choice is always easily gameable in some way - if there is no better format of question available, the best that can be done for multi-choice is to have a massive pool from which you randomly draw a different subset of questions for each student, and limit the number of attempts to make it impossible to fully scrape... even then, a smart group of students may pool and share their feedback as they progress.

The tricky thing is that you want to encourage such behaviour, helping each other learn, and although in some people's eyes this is purely cheating, it's not dissimilar in spirit.

Aside from being easy to cheat on, multiple choice tests are bad measures of knowledge/ability.

I'm good at them. I can often infer the desired answer from the phrasing of the question and answer without actually knowing enough about the topic to answer correctly in a free response format. I can almost always eliminate a wrong answer or two that way even if I can't necessarily pick the winner, improving my odds.

Some people are bad at them, especially when the test demands the "best" of several defensible options.

In either case, the test results in an unfair and inaccurate estimate of the evaluatee's performance.

Bad multiple choice sets reminded me of a history class my friend took in summer school. All the questions were multiple choice, and the teacher was extremely lazy and decided that the answer bank for every question would just be randomly drawn from the population of all answers. The end result is that most the questions end up like :

What year was the Declaration of Independence signed?

a) Martian Luther King Jr. b) The Spanish-American War c) 1776 d) The New Deal

Needless to say everyone aced the test.

Why would you need to fake whether you watched a video? Just let it play while you do something else. If it still bothers you how long it takes, put it on 2x speed.
It was part of the homework, we had to watch a video and write down notes in a physical notebook. The notebook was never checked because they assumed that a video watched >=1x meant that we understood the task. The videos took a while to watch so we'd rather skip.
Reminds me of a passion project I started in high school that went completely viral and took on a life of its own. Wrote a small script for my friends to check their AP scores a few days early. Required high schoolers giving clear text access to their entire CollegeBoard account so I could log on and scrape their scores. Somehow it got posted to Reddit and from that year on, grew wildly. Got to almost 2 million students checking their score in its peak year. It was immensely fun while it lasted (ran for about 7 years) and honestly I miss the thrill of it. CollegeBoard now releases all scores on the same day so the site is pretty much useless now. Definitely always looking to chase the thrill of that score release day again though.

Congrats on a successful end to a fun high school project! Stories like this are always fun to read.

You ran EarlyScores? Thanks for a tool that really helped my friends and I!
You’re welcome - Glad it helped!
I remember that kind of thrill. For a while I ran a tool for Etsy before they had an API, circa 2007. What they did have was AMFPHP, powering their flash toys (treasury, etc). I used it to allow sellers to see their sales stats.

Even went to the Etsy office in Brooklyn at one point and had a chat about it. I think some of the team was a bit bemused that I'd essentially extracted a large amount of data. But they took forever to get to the point of having an actual API (and I was one of the early users of this as well).

Eventually it became unsustainable and I shut it down, but it sure was fun having people be passionate about using it and sharing it.

Can you elaborate on the approach? This sounds really interesting but I don't quite understand from reading your comment and https://earlyscores.com/about/

I think I remember paying some small amount of money (flat fee irrespective of # of years, IIRC) to get my scores quicker via a phone call in 2003,2004,2005. Perhaps I would've been better served by your EarlyScores.

Probably wouldn't have helped.

> In 2014, with my first AP courses under my belt, I anxiously anticipated the release of my AP scores. What I realized at that time was that scores were rolled out by the College Board over a week’s time, and my AP scores would be accessible on one of the later dates. The need to see my scores on the first available date spurred me to create EarlyScores.com.

The approach was fairly simple: access to the college board’s website was geo-IP restricted for about 5 days time. It would start with a small collection of states, and each day over the five days another group of states would get access to the site starting at ~8:00am EST. I would get a few AWS/GCP/DigitalOcean nodes in a DC that had an IP in a state releasing on the first day. Put a small JS script on the nodes that would use the username and password input from students to sign in to their Account and send back the scores. Basically just a proxy without the need for configuration.
Interesting response from Mr Hegarty. I wonder if they would have gotten the same treatment by a US company?
I did a similar thing as a universtiy student and received a similar very nice response from a (huge) US company.

I got good advice and a cool story out of it.

There are nice people everywhere.

Congrats Alistair and Scott! This is an amazing story that made me remember my high-school days. As the authors, I was into programming from an early age, and high school definitely took the second place :) My grades ended up REALLY suffering when I got my first full-time role at a startup while I was 17 years old (parents approved) and on my last school year. Fast-forward many years and I don't regret a thing. I attended University of Oxford (despite my bad grades!) and I'm doing very well doing what I love.

Wish you both a very, very bright future!

Thank you! Alistair and I have been in startups since we were 15/16, and we've both now finished school and work full time in the startup space. My grades definitely took a down turn the last two years, but I'm happy with my decisions and am loving working in tech!
I think it's fair to say most of us had our grades suffer. My GCSEs back in 06 were terrible, but no wonder, I spent most of my time hacking & writing code. I'm no worse off for it, and I'm sure you won't be either!
thank you for the kind words :) things are going well for us so far, so fingers crossed it stays like this! You've put a big smile on my face :)
I was a supply teacher. A kid did something similar in early 2010s and he was doing online homeworks for his classmates for about $1 per month. He had about a hundred clients at the peak and he was never caught.
Overall, those who cheat are lazy by nature, and therefore easy to catch.

I teach art and design. Now is grading season and it is maddeningly easy to catch students who plagiarize. Like shooting fish in a barrel.

The contract cheating is another thing. At one of my previous places of employment, companies contacted students directly on their university mail and approach them offering 'educational services'. Some of them even knew what courses the students were taking.

And professors complain about not being able to get data to check on enrollment trends for their departments!
Half serious here. If they’re so smart why didn’t they know about screenshots? I mean part of their proof was a photograph of a screen, which seems odd to me.
We never really thought about documenting progress, so the photo of the email was taken from a phone camera of a teacher's computer (they had sent the email). We managed to find it while I was writing the article earlier on in the year, in a "deleted pictures" folder. I thought it would be cool to add it on. It's purely because the project spanned such a long time and nothing was really written down or saved.
This reminds me of when I was in college, they used this platform that randomly gave out questions, and the same platform was used for quizzes. It was one of my first practical programming experiences to scrape all the questions and save them as a text file. Later on, these files were passed around the entire class etc. It is just astonishing to see how these things spread.
Ha. I had a homeroom teacher in grade 8 who would clip out the numerical crossword puzzle (basically like super-Sudoku) from the newspaper and give us a bonus mark if we could complete it by the next morning.

I was the kid who wrote myself a recursive descent solver for it in QuickBasic, of all things.

Using programming to avoid homework has a long and storied history.

One of my very first programs I wrote was a QBASIC program to sort my spelling words in 2nd grade in 1991. I loved the idea of beating the system more than I actually disliked sorting my spelling words. I was quite proud of myself, and it seems to have worked out in the long run.